I have confirmed this bug at two sites using seven different AirPort Base Stations. I thought I had updated the Access Control List (ACL) on multiple Base Stations to allow several new computers and devices on the networks. Afterwards, however, users claimed trouble accessing in some locations -- that turned out to be true anywhere there was an AirPort Extreme-N Base Station; the older AirPort-Gs worked fine. Here's the mix of gear I was using to confirm this issue:

Airport Utility v5.4.1

Airport Extreme-N Firmware v7.4.1

Airport Extreme-N Base Station (both 10/100 and 10/100/1000 versions) with an existing ACL

PowerMac G5 - Mac OS 10.5.6 Server

PowerMac G4 - Mac OS 10.4.11

The Problem: Using Airport Utility v5.4.1, importing an Access Control List (File » (Option key) Import Access Controls) shows the updated ACL in the Access tab list. When the Base Station is updated and the configuration redisplayed, none of the new ACL entries appear on the list -- so none of the new devices have access to the base station. The ACL was not updated or overwritten. I was expecting it to be completely overwritten by the imported data, as happened before the most recent software and firmware updates.

Here's the workaround: Manually delete (by selecting one and clicking the minus sign below the list) all of the existing ACL entries before importing the list. The import/overwrite used to work prior to the AirPort Utility 5.4.1 and v7.4.1 firmware updates -- now it's broken. The need to manually delete dozens of entries on multiple Base Stations is very, very time consuming.]

I'm not sure why you'd use ACLs at all in the first place. They're more trouble than it's worth in my experience, and the level of security they provide is questionable as it's trivial to spoof a MAC address.

First, while ACLs are not terribly secure (it is easy enough to spoof a MAC address), they do offer at least a speed bump to access to your wireless network. To spoof a MAC address you first have to know one that is on the ACL in order to gain access. Given the large number of addresses, guessing one that's on my private list might be difficult or take a long time. Also, most people will shrug and give up as soon as the network denies them access. Every little bit helps.

Of course, combining an ACL with one of the WPA variants is even better security. Hiding the SSID so that your network is mostly invisible is about as secure as you're going to get with off-the-shelf commercial/consumer equipment. Or, you can use a RADIUS server and 802.11x authentication for each client. How many of those layers you choose to implement is entirely up to you.

Second, the file format. The basic format is a tab delimited list in plain text:

00:aa:bb:33:99:11 device name

With the colon-separated wireless MAC address of each allowed device (computer, iPhone, printer, etc.) followed by a tab then the whatever name you want to assign to the device on the ACL. Terminate each line with a return and start over for the next device. You can create the list using TextEdit or any other plain text editor on your Mac.

Apple has not really documented much about using ACLs, other than you can do it and can enter the devices on-by-one in Airport Utility. That method does not work well when you manage a list of 100+ devices on multiple bases stations. When I bought my first Extreme-N base station it took a call to Apple Support to find out how to get the ACL import to work.

In the old Airport utility, the ACL import was obvious and included on the drop down menu next to the list. In the Utility v5.x it requires holding down the Option key while clicking on the file menu.

In the old version the MAC addresses could be a string of hex digits. In v5.x it must be colon-separated.